NFDI AAI Handling the login for 30 scientific disciplines

Marcus Hardt for the IAM4NFDI Team

Feb 2026

NFDI

NFDI Background

  • NFDI: National Research Data Initiative
  • https://nfdi.de
  • Three rounds of calls
  • 27 Consortia (call 1 + call 2 + call 3)
    • To span many different scientific disciplines
      (social, humanities, engineering, earth, chemistry, physics, …)
  • ~ 90 M€/a
  • 5a + (potential extension: 5a)

NFDI Background

  • NFDI first focussed on consortia
    • Later: Basic Services, useful for many consortia:
    • Basic services: Persistent Identifiers (PID), Metadata, Multicloud, IAM, Accounting
    • Lifecycle: Initialisation, Integration, Ramp-Up
  • Identity and Access Management
    • Ramp-Up Phase officially starts on Feb 1st 2024
    • Funding 6FTE until Jan 2026
    • Funding extended via “Ramp-Up Phase until Jan 2028

IAM4NFDI Project

IAM4NFDI Goals

  • Provide state of the art IAM to all NFDI Consortia
  • Use home organisation identity
  • Enable delegated group management
    (Virtual Organisations)
  • Open for NFDI and beyond
  • Compatible with AARC / EOSC
  • Community AAI as a Service!

Project status

  • We have
    • Architecture ✅
    • Defined set of attributes ✅
    • Policies ✅
    • Documentation ✅

https://doc.nfdi-aai.de

This slide is actually old

What did we do since 2024?

Documentation




















https://doc.nfdi-aai.de

We extended the documentation

We implemented more proxies

Btw:
four
(not one)

Allows friendly competition
and everyone to participate

Add
more
communities

working on LifeScience AAI

And their
services

And their
services

Establish
Relations

Implementation Status

Incubators

A wonderful success story

  • Before Incubators
    • Website documentation ready
    • Several presentations to communities: “How to use AAI”
    • Consortia didn’t understand us

Incubators

Thanks Niels!

A wonderful success story

  • The Incubator effect
    • Consortia wrote proposals for working with us
      • Despite there was no funding
    • Regular catchup calls
    • Some even asked where to send deliverables
  • Great success!
    • Following the GEANT Incubator concept
    • And the presentation of the results

Incubators




















Attributes

Basic Attribute Profile

Attribute definitions:
https://doc.nfdi-aai.de/attributes

  • User identifier (created by CAAI)
    • Non-reassignable
    • and persistent
    • and unique
  • Name information
  • Email information
  • Home Organisation information
  • Affiliation within the community
  • Affiliation at the Home-Organisation
  • Assurance (REFEDS Assurance Framework)

  • EduID assigns life-long persistent identifier: [SubjectID|sub]
  • Community-AAIs pass it on in voperson_external_id
    • Infrastructure Proxy can sort things, if required

Extended Attribute Profile

  • Groups and roles: eduPersonEntitlement
  • Capabilities eduPersonEntitlement
  • Agreement to policies
  • ORCID identifier
  • Supplemental Name Information
  • Authentication Profiles
  • External Identifier
  • SSH-Keys

Authorisation by the Services

  • Group based
  • Resource Capabilities
    • Parametric scopes via information from external attribute authority
  • Home-org based
    • Dynamic groups to reflect
      • Helmholtz-member
      • Home Organisation
    • Affiliation
    • Assurance
  • Resource entitlements
  • Parametric Scopes

Authorisation Examples

  • Service is not useable for social logins
  • Service is only for members of a specific group
    • aka Virtual Organisation (VO)
    • aka Computing Project (e.g. in HPC)
    • aka Collaboration
  • Service is only for a particular group, based on their role at the Home-Organisation
    • Service is only for students
    • Service is only for employees
    • (faculty)?
  • Resource capabilities
    • What is the holder of the token allowed to do
    • Start VM
    • Read specific file

Policies

Policies

  • Essential: Concept of Policy Frameworks
    • SIRTFI
    • SNCTFI
    • REFEDS Data Protection Code of Conduct
    • REFEDS Assurance Framework
    • AARC I051: Guide to Federated Security Incident Response for Research
  • Actual policies need to follow the Policy Frameworks
    • Top Level Infrastructure Policy (TLP)
    • Security Incident Response Policy (SIRP)
    • Policy on the Processing of Personal Data (PPPD)
    • Virtual Organisation (VO) Membership Management Policy (VOMMP)
    • Virtual Organisation (VO) Life Cycle Management (VOLCM)
    • Service Access Policy (SAP)
    • Privacy Policy Template (PP (per VO / per Service))
    • Acceptable Use Policy Template (AUP (per VO / per Service))

Policies




















https://doc.nfdi-aai.de/policies

Policies: Take Away

  • Policies are not difficult to realise
    • Work is already done
  • Policies do not contain surprises
  • One single policy is required to be written (by law: GDPR)
  • Policy uptake in the communities:
                 “Less enthusiastic than anticipated”






Final Words

  • IAM4NFDI is
    • a wonderful collaboration
      • (though underfunded)
    • a unique opportunity to build on “green grass”
      • (we were late to the party)
    • very well received in the german research landscape
      • contacts from outside NFDI and outside Germany
    • full of surprises
    • a brainchild of AARC, and with this: FIM4R
  • There’s also an awesome AAI explainer Video here!!!

Thank you!!